Everything we do in the digital world is vulnerable when it comes to accessing our data. Wireless authentication provides security measures to protect networks and clients from malicious actors. It is the process of verifying that a client that is trying to connect to an access point is legitimate and vice versa.
Keys are essential for protecting sensitive data such as passwords, access to online banking, cloud computing, emails, personal files, access credentials, and web browsing in general. Hence, keys drive internet security.
The authentication process is executed in the following order: Open System Authentication, 802.1X Authentication, EAP Exchange, and 4 Way Handshake. Each sub process includes the usage of keys for authentication.
Here are wireless network security protocols from best to worst ordered in descending order:
This protocol was introduced in 2018 by the Wi-Fi Alliance. This builds on WPA2 and has a more robust authentication and delivers increased cryptographic strength for highly sensitive data markets.
This protocol leverages SAE (Simultaneous Authentication of Equals) instead of WPA2’s PSK (Pre-shared key).
The main difference between WPA and WPA2 is that it uses AES (Advanced Encryption Standard) instead of TKIP. The AES is the NIST designated standard for encryption as it uses 256-bits.
The downside is that if someone has access to the network, they will be able to wreak havoc. That is, if there is an internal threat to the network.
The Wi-Fi Protected Access is a security protocol that creates secure wireless networks. The WPA uses the temporal key integrity protocol (TKIP) to prevent malicious actors from creating their own encryption key to match the one used by the network.
The TKIP is what makes WPA a more secure option over WEP (an older security protocol) because the keys are constantly changing unlike the authentication keys in WEP which stay the same.
It still retained elements from WEP to keep older devices compatible. Thus, it still had its own vulnerabilities even if it was a much better alternative to WEP.
The Wired Equivalent Privacy was the standard protocol from 1999 to 2004. It was a subpar security protocol because it offered poor protection. It uses 64-bit encryption (easily broken because it is low-bit compared to modern 128-bit and 256-bit encryption).
It used a static authentication key that was easily breakable because it is only in 64-bit encryption. Once the attackers have successfully guessed the key, they can abuse it because of its static nature.
An open network has no authentication methods in place. These are usually public networks such as in libraries, malls, and other public areas that offer free wifi.
The access point first sends an Anonce (authenticator nonce) to the supplicant. The supplicant then checks the replay counter to make sure that no replay attacks have been performed. Supplicant then uses the PMK from earlier and the Snonce (Supplicant Nonce) to generate the PTK (Pairwise Transient Key).
The PTK is used to encrypt and decrypt unicast traffic for the session. The client then sends the Snonce back to the authenticator and the access point derives the same PTK using this information. At this point, both the client device and access point have the same PTK without having to expose it across the air because the PTK is calculated individually on both devices.
The Snonce is protected by a MIC (Message Integrity Check) to make sure that it is not tampered with while on the air.
Next, the RSN Information Element must be validated. Like the Snonce, it is also protected by the MIC. A GTK (Group Temporal Key) is used by the access point to send out information to multiple clients. If the GTK needs to be changed, it can be sent during the RSN Information Element validation message.
Once the supplicant receives this particular message, then it knows that it is communicating with a trusted access point and that no replay attacks have taken place. Thus, it will share the same PTK and GTK.
It then sends back an EAPol Key ACK frame which simply means that it acknowledges that the handshake completed successfully and closes the process.
After open authentication, we have what we call the authenticator. There are 3 elements: the supplicant (client device), authenticator, and radius server. Open authentication is a prerequisite for 802.1X Authentication.
The supplicant starts communicating with the authenticator initiating an EAP exchange. The EAP exchange starts with the client sending an EAPoL Start. The authenticator then requests an identity from the client (EAP Request/Identity).
The client then sends back its identity (EAP Response/Identity) and at this point the access point will open its uncontrolled ports to allow EAP traffic into the network. A Radius Access Request is then made to the radius server.
The radius server then checks in with the database to ensure that the identity the client sent is authorized. The database will then validate the identity and the radius server will send back an access challenge to the supplicant via the authenticator.
An EAP challenge request is initialized and the client sends an EAP response back to the radius server via the uncontrolled port. Once the database determines that the challenge is successful, a master session key is generated both on the client device and the radius server.
This master key is used to derive the PMK. The PMK exists only on the client device and the authenticator. It is unique to this client and session.
In an open system authentication, the access point is typically broadcasting its SSIDs for devices to easily find the network and associate with it. The client device first sends an authentication request frame to the access point. The access point will then process this request and send a response to the client device.
After which, the client device sends an association request back to the access point. Once received, the access point sends an association response from to the client device and association is now complete.
Open system authentication simply allows a client device to connect to an access point. This does not include security measures that verify that the client is legitimate.
An exception could be made for the captive portal--this is a form asking for your information or consent to the rules of use which you need to submit before you may use the network. However, once open system authentication is completed, regardless of the presence or lack thereof of a captive portal, the client is connected to the access point.
Here at Codvo.ai, we take security very seriously. We recognize that wireless authentication and key generation are industry standard ways in which one can secure their access points and client devices. The presence of wireless authentication is necessary for every client device and access point. Our experts can help verify the robustness of your organization’s network security and analyze network traffic to sniff out bad actors.
If you are interested in, contact us today at email@example.com!
Discover Data-Driven Agile Approach to Cybersecurity which is a culmination of modern best practices in tech.
Is your data warehouse up to date? Find out in this blog on the Top 5 Data Warehouse Trends in 2021